Microsoft disrupts botnet that generated $2.7M per month for operators

Microsoft's Cybercrime Center, where the Digital Crimes Unit coordinated its investigation of ZeroAccess, was opened in November.

Microsoft

On Thursday, Microsoft's Digital Crimes Unit, the legal and technical team that has driven the takedown of botnets such as Bamital and Nitol during the past year, announced that it has moved with Europol, industry partners, and the FBI to disrupt yet another search fraud botnet. The ZeroAccess botnet, also known as ZAccess or Siref, has taken over approximately 2 million PCs worldwide; Microsoft estimates that it has cost search engine advertisers on Google, Bing, and Yahoo over $2.7 million each month.

Further Reading

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

According to security reporter Brian Krebs, ZeroAccess began its life cycle in 2009 as a delivery network for other malware—dropping paying customers' viruses and Trojans, including "scareware" fake antivirus packages—onto PCs it had successfully infected. But since then, it has evolved into a "clickfraud" platform—intercepting search requests from the user's Web browser and injecting fraudulent hyperlinks into the results returned from major search sites. The botnet operators get paid through advertising networks for the traffic sent to the sites as if the user had clicked on a legitimate ad.

After identifying the IP addresses of 18 command-and-control servers involved in directing ZeroAccess, Microsoft filed civil lawsuits last week against the botnet operators in the US District Court for the Western District of Texas. The court gave Microsoft permission in court to block traffic between them and PCs in the US using technology provided by networking vendor A10 Networks.

As Microsoft executed the traffic block, Europol's European Cybercrime Center in Germany coordinated law enforcement raids on the locations of those IP addresses, resulting in the seizure of the servers involved. Law enforcement in Latvia, Germany, Switzerland, and Luxembourg were involved in the seizures.

But ZeroAccess may not be down for long. While the C&C servers are down, the botnet uses a peer-to-peer connection between infected systems to spread software updates, new configuration information, and other payloads. The C&C servers targeted only delivered part of the overall clickfraud package that included instructions on where to redirect traffic and the data required to get credit for the click from the advertiser. The only way to effectively dismantle the botnet would be to clean all of the infected PCs of the malware.

Update: According to analysis from researchers at Damballa, the Microsoft attempt at takedown of ZeroAccess' C&C infrastructure was a failure, because it left a significant number of servers still active. By the estimates of researcher Yacin Nadji and Damballa chief scientist Manos Antonakakis, 62 percent of the C&C infrastructure remained active after the 18 identified IP addresses were taken down. In a blog post, the researchers noted that even if Microsoft had been effective in taking down all of the C&C infrastructure, the botnet would be able to continue to operate unless the P2P communications were disrupted as well. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations," they wrote in a blog post to be published today. "This extensive legal work can be undone in a matter of hours."

As a result, taking the servers down may only temporarily disrupt the flow of clicks (and corresponding flow of cash). Microsoft hopes that by taking down the servers, it will be able to identify which advertising affiliates and publishers were tied to the botnet operators by their sudden drop in sent traffic.

It's an unfortunate situation that this ultimately ends up being like trying to destroy a cockroach infestation with a fly swatter. But every attempt to eradicate malware crime is a good thing, so good on Microsoft.

Should not these web advertising affiliates and publishers get some of the heat for allowing the initial malware package to get broadcast in the first place? Better screening, vetting, an a bit of responsibility?

If only there was some sort of government agency that tracked the majority of the web's traffic! Then private companies like microsoft wouldn't have to spend time, money, and effort tracking these things down!

It's an unfortunate situation that this ultimately ends up being like trying to destroy a cockroach infestation with a fly swatter. But every attempt to eradicate malware crime is a good thing, so good on Microsoft.

Unfortunately that has been true about fighting crime for forever. Now it's just different that the cockroaches can reach across the planet to annoy you.

A number of large companies have these kinds of labs. Target corp has an accredited crime lab that does computer forensics, finger print and DNS analysis and video forensics. They have been known to take on case work from gov't organizations. (Sadly) It has better accreditation and chain of control process than many local gov't labs.

So it's not surprising MS has this kind of thing given the number of old unpatched Windows boxes there are out there.

I'm still not clear on exactly why the botnet operators can't be identified, tracked down, and arrested. If they're getting paid to the tune of $2.7M per month, there must be a way to follow that money.

Is Google doing anything serious about those click frauds for their customers? Just asking because it seems they have financial interest in keeping them going.

IIRC When fraud is detected they have to refund the money they took from the advertiser; but the fraudster's typically already disappeared with the money it took from Google/etc. Excessive levels of fraud would make AdWords less attractive to honest businesses which would hit their bottom line hard.

That said, I think MS is the only large (non-security related) tech company conducting large scale offensives against the scum; and Google's been nailed at least once, to the tune of $500m, for turning a blind eye to illegal advertising.

A number of large companies have these kinds of labs. Target corp has an accredited crime lab that does computer forensics, finger print and DNS analysis and video forensics. They have been known to take on case work from gov't organizations. (Sadly) It has better accreditation and chain of control process than many local gov't labs.

So it's not surprising MS has this kind of thing given the number of old unpatched Windows boxes there are out there.

If I worked for Microsoft, which I do not, that would be the part of Microsoft I would most like to work in.

Seriously -- if the choice is designing yet another new UI for Office, or tracking botnets and disassembling them, I know what I'd rather be doing.

I'm still not clear on exactly why the botnet operators can't be identified, tracked down, and arrested. If they're getting paid to the tune of $2.7M per month, there must be a way to follow that money.

I have often asked the same thing (usually about spammers) and never got a satisfactory answer. I eventually stopped asking.

I'm still not clear on exactly why the botnet operators can't be identified, tracked down, and arrested. If they're getting paid to the tune of $2.7M per month, there must be a way to follow that money.

I have often asked the same thing (usually about spammers) and never got a satisfactory answer. I eventually stopped asking.

The money both groups get is dumped into the same money laundering system that organized crime uses for the rest of its crime. They get busted every once in a while; but taking down a big chunk of the mafia is much harder than just seizing a bunch of C&C servers. Just like botnets get smashed a lot more often than their operators are dragged into court.

The money both groups get is dumped into the same money laundering system that organized crime uses for the rest of its crime.

I don't understand how that would work. These aren't cash transactions - they're passing through an online billing service who, among other things, is responsible to the IRS. I'd think it would be fairly easy to conduct a transaction and then track the money to an entity that interfaces with a bank of some sort, not to mention a credit card processing business. Setting aside the recent Bitcoin phenomenon (which will be a scammer's paradise if it goes mainstream), someone has to turn their "sale' into actual cash.

(Of course if the scammer is overseas then that lowers my already subterranean opinion of the stupid shits who buy from them in the first place. They deserve to be fleeced in that case, just to demonstrate what indiscriminate dumbfucks they are, and if they lose their computer in the process so much the better.)

I'm still not clear on exactly why the botnet operators can't be identified, tracked down, and arrested. If they're getting paid to the tune of $2.7M per month, there must be a way to follow that money.

I have often asked the same thing (usually about spammers) and never got a satisfactory answer. I eventually stopped asking.

The money both groups get is dumped into the same money laundering system that organized crime uses for the rest of its crime. They get busted every once in a while; but taking down a big chunk of the mafia is much harder than just seizing a bunch of C&C servers. Just like botnets get smashed a lot more often than their operators are dragged into court.

Yeah, really the take away is that when international law enforcement gets a "hacker" they are, like in many other parts of law enforcement, really only getting the "low hanging fruit". Folks of the "Script Kiddie" levels get busted all the time, because they're using the tools without any real understanding of the complexities involved in obfuscating attack sources, etc. When it comes to Organized Crime folks, though, remaining below the radar for purposes of revenue acquisition and various other control purposes is their bread and butter, they just have different tools to utilize now.

I'm still not clear on exactly why the botnet operators can't be identified, tracked down, and arrested. If they're getting paid to the tune of $2.7M per month, there must be a way to follow that money.

That task can be a lot harder than you might think, especially when the money has moved through third parties and shell companies, crossing international borders. By the time investigators unravel that mess sometimes all they get is a fake name that the real criminal no longer uses. That's not say this investigation angle is impossible but it's not foolproof.

Does anybody else question why Microsoft waited until the Christmas shopping season to advertise their new 'super high tech cyber crime lab'? All I'm seeing here is seasonal marketing fluff on par with Amazon's new 'futuristic drone delivery service'.

Microsoft's security labs were well known before this particular release. You as an individual not being aware of it is not particularly indicative.

That task can be a lot harder than you might think, especially when the money has moved through third parties and shell companies

I still don't get it, though. The IRS and other government entities can come after you for an overdue library book, but there is no way to shut down someone who processes credit card transactions?

(I'm not talking about information phishers, but people who actually charge your account and conduct a transaction.)

This seems like a huge gap in commerce regulations.

Quote:

...crossing international borders.

Again, anyone who does business internationally without first vetting who they are handing their CC number to deserves what they get. There is a minimum level of basic awareness necessary to interact with the world, and not understanding this falls into the level of becoming a ward of the state.

We laugh at the naivety of someone who might walk around a seedy area with a handful of hundreds in plain sight, but we don't laugh at anyone who buys shit from an overseas site that advertises through deceptive means, with no idea that it is likely a scam?

The reason I'm so hostile to such people is that they are the ones providing sc/pammers with the funds to continue pestering the rest of us. (And ask any mail administrator; spam is a very real drain on their resources.)

Again, anyone who does business internationally without first vetting who they are handing their CC number to deserves what they get. There is a minimum level of basic awareness necessary to interact with the world, and not understanding this falls into the level of becoming a ward of the state.

We laugh at the naivety of someone who might walk around a seedy area with a handful of hundreds in plain sight, but we don't laugh at anyone who buys shit from an overseas site that advertises through deceptive means, with no idea that it is likely a scam?

The reason I'm so hostile to such people is that they are the ones providing sc/pammers with the funds to continue pestering the rest of us. (And ask any mail administrator; spam is a very real drain on their resources.)

This revolves around advertising dollars, not products.

Quote:

The botnet operators get paid through advertising networks for the traffic sent to the sites as if the user had clicked on a legitimate ad.

That task can be a lot harder than you might think, especially when the money has moved through third parties and shell companies

I still don't get it, though. The IRS and other government entities can come after you for an overdue library book, but there is no way to shut down someone who processes credit card transactions?

(I'm not talking about information phishers, but people who actually charge your account and conduct a transaction.)

This seems like a huge gap in commerce regulations.

Many of these schemes likely use transaction processors in countries where the right amount of money to the right people in the right places allows you to move money around to your heart's content.

People like to complain about how corrupt and inept the US government is, but, by comparison to many countries, it actually is fairly principled.

Quote:

Quote:

...crossing international borders.

Again, anyone who does business internationally without first vetting who they are handing their CC number to deserves what they get. There is a minimum level of basic awareness necessary to interact with the world, and not understanding this falls into the level of becoming a ward of the state.

We laugh at the naivety of someone who might walk around a seedy area with a handful of hundreds in plain sight, but we don't laugh at anyone who buys shit from an overseas site that advertises through deceptive means, with no idea that it is likely a scam?

The reason I'm so hostile to such people is that they are the ones providing sc/pammers with the funds to continue pestering the rest of us. (And ask any mail administrator; spam is a very real drain on their resources.)

This seems to betray a fairly naive "laissez faire" mindset on your part. The fact of the matter is that many, many systems are in place to make sure that people *can* purchase across borders safely, but there's good money in circumventing those systems. Your average person on the street cannot be expected to be experts on transactional security (nor should they be).

I still don't get it, though. The IRS and other government entities can come after you for an overdue library book, but there is no way to shut down someone who processes credit card transactions?

If I'm understanding the scam correctly, the money is being paid by Google and other click-based advertising companies directly to accounts owned by the botnet operators. The problem with tracking them down is that they are hidden in plain sight among the millions(?) of legitimate click-based advertising dollar transactions flying all over the world. Plus as commented earlier, these accounts get laundered by the money traveling internationally through dozens of other accounts set up in countries with that I'm guessing lack strict banking standards. What I'm wondering is if the spoofed click-through transactions are just considered a "cost of doing business" for Google, and that's why they have not invested money into the problem. No one is hacking Google, it's the MS-based systems that are infected to cleverly trick Google into paying for a click that didn't occur.

Quote:

Again, anyone who does business internationally without first vetting who they are handing their CC number to deserves what they get. There is a minimum level of basic awareness necessary to interact with the world, and not understanding this falls into the level of becoming a ward of the state.

Tell Google not to do business with anyone outside of the US, Western Europe, or anywhere where fraud could be perpetuated...

Now here's a potentially interesting thought: would it be possible to use the captured C&C servers to issue commands to the infected machines to clean themselves up?

Let me see if this makes sense...

The command and control servers are able to issue commands to infected machines. If it is possible for the infected machines to spread to other machines (infected or otherwise), it should, in theory, be possible to use those same mechanisms to disinfect those same machines, as well as plug the security hole that was used to infect them in the first place. Suppose that the C&C servers issue an 'update' to whatever spyware it was that was running on the infected machines. In that update, it modifies the spyware so that it will, on a particular day, delete itself and run a patch to plug the hole by which the machine was originally infected. Now I'm guessing that not all infected machines are in direct contact with the C&C servers, but they do work peer to peer as mentioned. It should still, in theory, be possible for an infected peer who has received the "disinfect" patch to then issue that same "disinfect" to any to any other infected machines that it is in communications with.

It may not be totally ethical, but it would be an interesting fix to the problem. It would also be quite suddenly surprising to the botnet operator when suddenly a large portion of his bots are taken out and are no longer able to be infected by the same means they were before.

Now here's a potentially interesting thought: would it be possible to use the captured C&C servers to issue commands to the infected machines to clean themselves up?

I'm pretty sure this has actually been attempted recently.

Also, if you remember, back around 2002 or so, there was a worm that went around attempting to fix machines that were infected by a previous worm. Problem was that it turned networks into a infect/fix firestorm and, while good intentioned, ultimately made things more complicated than they first were.

I mention it, because unless you really control for every variable in the botnet/malware, you could potentially cause behaviors that weren't initially expected and even make things worse for those with infected hosts.

The fact of the matter is that many, many systems are in place to make sure that people *can* purchase across borders safely, but there's good money in circumventing those systems. Your average person on the street cannot be expected to be experts on transactional security (nor should they be).

They can be expected to not buy from someone who advertises through mail messages originating from illegitimate or unrelated senders ("flowers.com" does not sell Viagra) or message bodies with superfluous text from Charles Dickens tacked onto the bottom. And yet these messages continue to flood your and my mailboxes. So if indiscriminate computer users aren't buying this stuff on an ongoing basis, who is?

Thief sets up dummy company name and builds hundreds of web sites. Thief ads Google Ads to web sites. Botnet generates clicks on the ads on fake web sites, generating cash for thief. Thief moves money to safe harbor. Thief now has money and the most we can really do is shut down his fake web sites which are easy as pie to create. No one purchased anything. All the bots do is click on a link.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.